aging inactive users

aging inactive users

[Frank Ch. Eigler]

Hi -

Sourceware does not have a mechanical process for aging out hosted
project contributors who have not logged on for a long time.  Given
that projects haven't undertaken this sort of janitorial task, it's
probably time that we put one in place.

A brief shell script scanning ssh authentication logs in
/var/log/secure* spanning a year indicates that only about 1/4 of our
accumulated user base has been active during that time.
(/sourceware/infra/bin/list-ssh-login)

After gathering feedback here, I plan to send a batch of email to
those found not to be active (via their USER@sourceware.org email
addresses).  Then a few weeks later, if they still haven't become
active, I plan to set them to "gid=emeritus" status, so those accounts
can no longer log in.  (This status is easy to reverse if anyone there
is ready to return.)

For administrative/shared accounts, one needs do this analysis on a
per-key basis.  It probably needs to be more recent, considering the
greater privileges of these accounts, say 6 months.  There, a more
manual process to compare ssh-keygen -l lists against the actually
used ssh fingerprints could be used.  That way, we can age out only
those users & keys that have not been used, but preserve others.  I'll
work out another little script for that postprocessing and get it to
note findings via email too.

I propose to repeat this exercise every few months.

Feedback & comments welcome.

- FChE

Re: aging inactive users

[Andrew Pinski]

On Fri, Apr 5, 2024 at 6:13 PM Frank Ch. Eigler via Overseers
<overseers@sourceware.org> wrote:
>
> Hi -
>
> Sourceware does not have a mechanical process for aging out hosted
> project contributors who have not logged on for a long time.  Given
> that projects haven't undertaken this sort of janitorial task, it's
> probably time that we put one in place.

I have been meaning to ask about this since LLVM started doing the
same a few months ago.
https://discourse.llvm.org/t/rfc-new-criteria-for-commit-access/76290
is when they started.

Thanks,
Andrew Pinski


>
> A brief shell script scanning ssh authentication logs in
> /var/log/secure* spanning a year indicates that only about 1/4 of our
> accumulated user base has been active during that time.
> (/sourceware/infra/bin/list-ssh-login)
>
> After gathering feedback here, I plan to send a batch of email to
> those found not to be active (via their USER@sourceware.org email
> addresses).  Then a few weeks later, if they still haven't become
> active, I plan to set them to "gid=emeritus" status, so those accounts
> can no longer log in.  (This status is easy to reverse if anyone there
> is ready to return.)
>
> For administrative/shared accounts, one needs do this analysis on a
> per-key basis.  It probably needs to be more recent, considering the
> greater privileges of these accounts, say 6 months.  There, a more
> manual process to compare ssh-keygen -l lists against the actually
> used ssh fingerprints could be used.  That way, we can age out only
> those users & keys that have not been used, but preserve others.  I'll
> work out another little script for that postprocessing and get it to
> note findings via email too.
>
> I propose to repeat this exercise every few months.
>
> Feedback & comments welcome.
>
> - FChE

Re: aging inactive users

[Mark Wielaard]

Hi Frank,

On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote:
> Sourceware does not have a mechanical process for aging out hosted
> project contributors who have not logged on for a long time.  Given
> that projects haven't undertaken this sort of janitorial task, it's
> probably time that we put one in place.
> 
> A brief shell script scanning ssh authentication logs in
> /var/log/secure* spanning a year indicates that only about 1/4 of our
> accumulated user base has been active during that time.
> (/sourceware/infra/bin/list-ssh-login)
> 
> After gathering feedback here, I plan to send a batch of email to
> those found not to be active (via their USER@sourceware.org email
> addresses).  Then a few weeks later, if they still haven't become
> active, I plan to set them to "gid=emeritus" status, so those accounts
> can no longer log in.  (This status is easy to reverse if anyone there
> is ready to return.)

I assume that this means the email forward will keep working and that
an id will never be reused?

> For administrative/shared accounts, one needs do this analysis on a
> per-key basis.  It probably needs to be more recent, considering the
> greater privileges of these accounts, say 6 months.  There, a more
> manual process to compare ssh-keygen -l lists against the actually
> used ssh fingerprints could be used.  That way, we can age out only
> those users & keys that have not been used, but preserve others.  I'll
> work out another little script for that postprocessing and get it to
> note findings via email too.
> 
> I propose to repeat this exercise every few months.

So "normal" accounts would expire after one year of inactivity.
"admin" accounts would expire after 6 months of inactivity.

Users will get an email that is about to happen, giving them an
oppertunity to activate their account (in say 2 weeks?). Would a
simple "alive" be enough or do we require an actual push of a commit?

I would propose to then run this process every quarter (3 months).

Thanks,

Mark

Re: aging inactive users

[Sam James]

Mark Wielaard via Overseers <overseers@sourceware.org> writes:

> Hi Frank,
>
> On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote:
>> Sourceware does not have a mechanical process for aging out hosted
>> project contributors who have not logged on for a long time.  Given
>> that projects haven't undertaken this sort of janitorial task, it's
>> probably time that we put one in place.
>> 
>> A brief shell script scanning ssh authentication logs in
>> /var/log/secure* spanning a year indicates that only about 1/4 of our
>> accumulated user base has been active during that time.
>> (/sourceware/infra/bin/list-ssh-login)
>> 
>> After gathering feedback here, I plan to send a batch of email to
>> those found not to be active (via their USER@sourceware.org email
>> addresses).  Then a few weeks later, if they still haven't become
>> active, I plan to set them to "gid=emeritus" status, so those accounts
>> can no longer log in.  (This status is easy to reverse if anyone there
>> is ready to return.)
>
> I assume that this means the email forward will keep working and that
> an id will never be reused?
>
>> For administrative/shared accounts, one needs do this analysis on a
>> per-key basis.  It probably needs to be more recent, considering the
>> greater privileges of these accounts, say 6 months.  There, a more
>> manual process to compare ssh-keygen -l lists against the actually
>> used ssh fingerprints could be used.  That way, we can age out only
>> those users & keys that have not been used, but preserve others.  I'll
>> work out another little script for that postprocessing and get it to
>> note findings via email too.
>> 
>> I propose to repeat this exercise every few months.
>
> So "normal" accounts would expire after one year of inactivity.
> "admin" accounts would expire after 6 months of inactivity.
>
> Users will get an email that is about to happen, giving them an
> oppertunity to activate their account (in say 2 weeks?). Would a
> simple "alive" be enough or do we require an actual push of a commit?
>
> I would propose to then run this process every quarter (3 months).

Our policy is
https://wiki.gentoo.org/wiki/Project:Retirement/For_developers, if that
helps.

The overview is:
"Inactivity retirement. Happens after roughly 12-16 months of inactivity
and four warning mails. The exact timeline and process depends on the
developer's prior activity and current situation."

Then the policy on e.g. email fwd etc is on the link above. I think the
timeline may not be suitable for sourceware but hopefully seeing some
precedent overall may help.

>
> Thanks,
>
> Mark

thanks,
sam

Re: aging inactive users

[Frank Ch. Eigler]

Hi -

> [...]
> I assume that this means the email forward will keep working and that
> an id will never be reused?

Yes.

> [...]
> So "normal" accounts would expire after one year of inactivity.
> "admin" accounts would expire after 6 months of inactivity.

Yes.

> Users will get an email that is about to happen, giving them an
> oppertunity to activate their account (in say 2 weeks?). Would a
> simple "alive" be enough or do we require an actual push of a commit?

Any ssh login would be enough, i.e., even a git clone over ssh:, to
demonstrate he or she is still in control of the ssh keys.

> I would propose to then run this process every quarter (3 months).

Sure.

- FChE